Security Working Group Meeting - Wed 14 October - results

Joseph Reynolds jrey at
Fri Oct 16 01:14:13 AEDT 2020

On 10/13/20 2:06 PM, Parth Shukla wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this...
> This Message Is From an External Sender
> This message came from outside your organization.
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday October 14 at 10:00am PDT.
> We'll discuss the following items on the agenda 
> <>, 
> and anything else that comes up:
>  1. (Joseph): Follow up from 2020-8-19: Gerrit code review: BMCWeb
>     webUI login change:
>     Question: What are the security risks of using the proposed config
>      1. Fingerprinting (leak information about the BMC’s manufacturer
>         and version).
>      2. Attackers have an easier time getting the code to find and
>         exploit security bugs.
>      3. May make DoS easier.
>      4. More?

Yes, those are the main risks we talked about.  And it seems reasonable 
for some environments to accept these risks.  We discussed 
fingerprinting, and the desire to minimize this surface going forward.  
We discussed how the Redfish standard requires files to have 
unauthenticated access to static files while the OpenBMC project has 
uses cases that don’t want to allow that, for example, discussion in

> 2. (Joseph): Per 
> do 
> we agree on the approach?  What security categories seem most important?

The Microsoft, IBM, and Common Criteria schemes each have topics that 
seem appropriate.  No other high-level scheme was proposed, so we’ll go 
with these for now.

In particular, will someone please articulate topics from Microsoft 
Security Development Lifecycle (SDL), and we’ll add them to the list. TODO

It was agreed that the list of topics have information that can be 
leveraged by various security development processes.  For example, a 
team that uses OpenBMC in their project and wants to follow a security 
scheme/process/evaluation should be able to use these topics to find 
what they need in the OpenBMC project documentation.

We agreed in principle to organize OpenBMC security work to a subset of 
the topics listed.

Two subtopics were discussed:

2A. We reviewed the security reporting and bug fixing process.  


    The OpenBMC security response team:


    This is what github advocates using:


    What tools do we use to:


    Identify which open source pkgs are used in an openbmc build,


    Identify security bugs in those packages, and


    Ensure that we pull in fixes or otherwise mitigate the problem.

2B. Given that OpenBMC is a Linux Foundation project, what resources 
does the Linux Foundation offer?  Specifically, we want a private secure 
bug tracker for the OpenBMC security response team to use.

The following topic was added:

3. Anton update on privilege separation work


Progress on ipmi-net & bmcweb -- working on dbus config, sockets; which 
areas to sandbox.

To make the migration work (changing from root user to another user), we 
will need to migrate the process’s environment, for example: bmcweb uses 
files in /home/root and it won't have permission afterward.

We discussed how to do the source bump to help CI go more smoothly.

> Access, agenda and notes are in the wiki:
> Regards,
> Parth

More information about the openbmc mailing list